iOS 8 Will Alleviate HIPAA Security Risk

Mobile MAC (Media Access Control) address signal gives us updated, unencrypted, presence and location from our mobile phones and gadgets. Today, it is possible to keep track of anyone connected to your smartphone or tablet using address signals to exactly pinpoint their location. However, given Apple’s coming changes on how they handle MAC address broadcasts, this won’t be the case for long. And when Apple does it, you can be sure that Google’s Android will do the same.

The way Wi-Fi scans interact with MAC addressing will be changed dramatically in Apple’s iOS 8. The shift to “randomly, locally administered” MAC addresses will result, to MAC addresses used for Wi-Fi scans being not always the exact location of the device. Practicality in question, there is a lost point in using random addresses to track people via their devices. Depending on the level of randomness used, MAC address broadcast will, at best, be impractical.

But before Apple releases the new software, there are still weeks and months for security privacy to stir up a real threat. An additional month before most users upgrade, maybe two for the others, and another month or two for Google’s Android to adapt the idea.

There is enough leeway for privacy security breaches to occur even before iOS 8 makes it to the market. For instance, there is the potential for a turncoat member of the hospital staff to track people via their records. We’re not talking about tracking doctors and hospital staff in the hospital, as that can be easily done once they log into the system. It’s more a matter of cyber thieves or hackers who could easily victimize anyone with a mobile device.

A specific MAC address would be tracked over time, this, eventually, causing a great deal of hassle. For example, in retail, retailers work with vendors who have a network of other retailers. This allows those companies to create detailed reports of every location visited by a MAC address. By overlaying it with purchase records, that address can be related with specific purchases, that then can be traced to specific persons if paid using payment or loyalty cards. Not only that, there are other database communications, such as security cameras in the mall, hospital and parking lots. Even face and clothing can be associated with that MAC address.

Facial recognition softwares started to be used by most vendors initially to identify shoplifters. Eventually, the need evolved to attaching names and purchase records to shoppers who pay with cash. Hospitals may not have the same business incentives for such identification program, but an employee with malicious intent could use the MAC address in an equally intrusive manner.

Daniel Wood, a security penetration tester who specializes on Apple devices says, “This is one of the better things Apple is doing with the upcoming version iOS 8.” With the new MAC address randomization that Apple is launching, privacy risks are mitigated.

“When you have Wi-Fi turned on with your iPhone/iPad, it is constantly polling the network airwaves for access and broadcasting the device identifier. It [iOS 8] will prevent, to an extent, the tracking of users when they are walking in range of wireless access points,” Wood added.

Another security penetration tester, Godfrey Nolan, said this move will highly affect vendors trying to track consumers. “Moving MAC addresses would stop the marketing people tracking you like they do on the web,” said Nolan.

Initially, this randomization will make IT jobs in healthcare more tedious. Healthcare networks that use MAC addresses for authentication before asking for password or PIN will find the change majorly problematic. A medical security systems provider, Acentec, explains that employees won’t automatically connect if the MAC address is randomized, they will have to sign themselves in.

Acentec’s CEO, Jeff Mongelli further explains, “Those networks that are relying on MAC will be forced to rely on something else, like an encrypted key, which will be a little more difficult to pick off,” he said. “That would be a good thing, from an improving security perspective. From an IT guy’s perspective, that’s a lot of work. They’ll have to reconfigure their firewalls. I think you could make the argument that this will add security, making mobile devices more secure. It will make trying to track people that much more difficult.”

Looking for great healthcare IT services in New York / New Jersey? Our healthcare IT security experts are here to ensure your patient records are 100% secure and your practice is compliant with all the HIPAA requirements. Call NY (845) 406-6800, NJ (201) 785-7800 or email us immediately at info@nynja.com.